CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2023-49103

CVSS 10.0v3.1pub. 2023-11-21upd. 2025-10-31

An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

🤖 AI Analysis
How it works

The graphapi application uses an external GetPhpInfo.php library, which exposes a publicly accessible URL. Accessing this URL returns the complete output of the phpinfo() function, including all web server environment variables. In containerized Docker deployments, environment variables are a typical mechanism for passing credentials and configuration, making their disclosure particularly critical. Importantly, simply disabling the graphapi application in the ownCloud panel does not remove the vulnerability — the library file remains accessible.

Impact

An unauthenticated attacker can obtain the administrator password, mail server credentials, license key, and other sensitive system configuration details, which in practice means complete takeover of the ownCloud instance.

Mitigation & patch

Update the owncloud/graphapi application to version 0.2.1 or 0.3.1. Since simply disabling the graphapi application does not eliminate the vulnerability, it is necessary to remove or block access to the GetPhpInfo.php file at the web server level. It is also recommended to rotate all credentials stored as environment variables (administrator password, SMTP data, license key) on all potentially affected instances. Details are available in the official ownCloud security advisory.

Who is affected

ownCloud owncloud/graphapi in versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1; Docker containers built after February 2023 are vulnerable — containers built before February 2023 are not vulnerable to credential disclosure

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Owncloud Graph Api

    APP
    Owncloud
    0.2.00.3.0

CISA KEV — detailsi

Vendori
ownCloud
Producti
ownCloud graphapi
Added to KEVi
November 30, 2023
Remediation deadline (US Federal)i
December 21, 2023(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

ownCloud graphapi contains an information disclosure vulnerability that can reveal sensitive data stored in phpinfo() via GetPhpInfo.php, including administrative credentials.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 21 grudnia 2023
Tags
Container
CWE
References

Related vulnerabilities

CVE-2023-49105CRITICAL9.8PL ✓ten sam vendor

OwnCloud: Pominięcie uwierzytelniania przez pre-signed URL (WebDAV API)

CVE-2021-35946CRITICAL9.8ten sam vendor

A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the...

CVE-2020-28645CRITICAL9.1ten sam vendor

Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow us...

CVE-2014-2052CRITICAL9.8ten sam vendor

Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to re...

CVE-2014-2048CRITICAL9.8ten sam vendor

The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an...